Author(s): Gen Zhang
Abstract: Fuzzing is an efficient testing technique to catch bugs early, before they turn into vulnerabilities. Without complex program analysis, fuzzers extended with coverage information can generates interesting results and find potential bugs in programs. However, we observed that previous coverage-based fuzzers, such as American Fuzzy Lop (AFL) , fail to realize the importance of the order of input test cases or they are unable to adopt useful coverage information, so some of them suffer from dramatically poor performance. Meanwhile, the main idea of test case prioritization (TCP) in the field of software testing is to rank the test cases according to a certain rule and leverage coverage information between source code and test cases, to help identify bugs and vulnerabilities. Thus our work concentrates on complementing fuzzing techniques with the characteristics of TCP and improving the effectiveness and efficiency of traditional fuzzers.
In this paper, we present a combined fuzzing technique, integrated with useful coverage information and prioritization properties commonly used in TCP, which enhances the process of creating new test cases and finding bugs. In order to achieve expected results, we implement our method by extending state-of-the-art fuzzer AFL with TCP techniques and evaluate it on 6 widely-used programs from GNU. We conduct experiments on 6 target programs to illustrate our performance both on bug detection and time cost. On all of these experiments, improvement of our method is witnessed and significantly better outcomes are generated.
Keywords: fuzzing; test case prioritization; coverage information; security